Daniel Shahaf <
danielsh@...> writes:
> Garrison, Jim (ETW) wrote on Thu, Jun 14, 2012 at 10:49:47 -0700:
>>
>> This is going to cause major headaches for a lot of people. OpenSSL
>> client versions 1.0.1 and later can and will cause earlier server
>> versions to hang at CLIENT HELLO. There are options in the OpenSSL
>> code to tailor the client behavior to avoid this, but they require
>> the client applications (i.e. subversion) to support setting these
>> options. For example
>>
>> ctx = SSL_CTX_new(...);
>> SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_2);
>>
>> What's the possibility of getting an enhancement to subversion to support this in its server configuration?
>
> Haven't read everything, but Subversion does not call SSL_CTX_new() at
> all; its dependencies, libneon and/or libserf, do.
Both serf and neon do:
SSL_CTX_set_options(ctx, SSL_OP_ALL);
neon provides ne_ssl_context_set_flag() but it can only be used to
set/clear SSL_OP_NO_SSLv2.
--
Philip
